Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[META] Document fine-grained access control permissions needed for each client call #194

Open
Jon-AtAWS opened this issue Feb 28, 2024 · 6 comments
Open

[META] Document fine-grained access control permissions needed for each client call #194

Jon-AtAWS opened this issue Feb 28, 2024 · 6 comments
Labels
enhancement New feature or request

Comments

@Jon-AtAWS
Copy link
Member

This is a generic comment, across clients.

I often stumble when trying to make API calls, to understand the needed permissions under fine-grained access control. The problem is made somewhat worse, and somewhat better, with action groups. Mapping the action groups to what they actually do is made easier by this page https://opensearch.org/docs/latest/security/access-control/default-action-groups/. But even that doesn't go all the way, since I don't know what API calls are under the client calls.

For each client, and each API, can we document the permissions (not the action group) required to execute that API.

If we can add comments to the individual clients' methods, we should be able to auto-generate this documentation. Either way, we need to put the information somewhere.
@Jon-AtAWS Jon-AtAWS added enhancement New feature or request untriaged labels Feb 28, 2024
@wbeckler
Copy link

This could live in the API spec and both the comments and documentation could be generated from that.

@dblock dblock removed the untriaged label Feb 28, 2024
@dblock
Copy link
Member

dblock commented Mar 1, 2024

I'm moving this to opensearch-api-specification.

@dblock dblock transferred this issue from opensearch-project/opensearch-clients Mar 1, 2024
@dblock
Copy link
Member

dblock commented Mar 1, 2024

@nhtruong @Xtansia

Where would be put this type of metadata in the newer flavor of OpenAPI spec that we're POCing?

@nhtruong
Copy link
Collaborator

nhtruong commented Mar 3, 2024
edited
Loading

Each API operation can be accompanied by a description property. Though it's only meant for a few sentences to summarize the operation. It's best to add an externalDocs to a doc that fully explains the feature.

@nhtruong nhtruong removed the untriaged label Mar 3, 2024
@Xtansia
Copy link
Collaborator

Xtansia commented Mar 3, 2024

We can also always add a x-required-permissions: ['indices:admin/mapping/put'] extension property on the operations

@Jon-AtAWS
Copy link
Member Author

That is the idea, BUT:

Whatever route we go, we need to specify whether the permission is under cluster_permissions or index_permissions. You can (and sometimes have to) add indices:* permissions at the cluster level. I admit to being completely confused about where to put, e.g. indices:write/data/bulk.

By Cluster level, I mean cluster_permissions in the FGAC policy:

            fgac_cluster_perms = {
                "cluster_permissions": [
                    "cluster_monitor",
                    "indices_all"
                ],
                "index_permissions": [{
                    "index_patterns": [
                        "*"
                    ],
                    "dls": "",
                    "fls": [],
                    "masked_fields": [],
                    "allowed_actions": [
                        "indices_all"
                    ]
                }]
            }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dblock @nhtruong @Xtansia @wbeckler @Jon-AtAWS